Fuzzer tests for AudioDecoder's DecodeRedundant and IncomingPacket

webrtc/test/fuzzers/audio_decoder_fuzzer.cc

Index: webrtc/test/fuzzers/audio_decoder_fuzzer.cc
diff --git a/webrtc/test/fuzzers/audio_decoder_fuzzer.cc b/webrtc/test/fuzzers/audio_decoder_fuzzer.cc
index fb5adb6cd8e55ca236138a00e762d75b5151cde5..8c796e91dcdb98cb3918f090128368fa8825b62f 100644
--- a/webrtc/test/fuzzers/audio_decoder_fuzzer.cc
+++ b/webrtc/test/fuzzers/audio_decoder_fuzzer.cc
@@ -10,15 +10,32 @@
 
 #include "webrtc/test/fuzzers/audio_decoder_fuzzer.h"
 
+#include <limits>
+
 #include "webrtc/base/checks.h"
+#include "webrtc/base/optional.h"
 #include "webrtc/modules/audio_coding/codecs/audio_decoder.h"
+#include "webrtc/modules/rtp_rtcp/source/byte_io.h"
 
 namespace webrtc {
 namespace {
 size_t PacketSizeFromTwoBytes(const uint8_t* data, size_t size) {

[pbos-webrtc, 2016/01/25 13:53:07]

Imo. remove this function and do as below:

[hlundin-webrtc, 2016/01/25 15:47:09]

Done.

-  if (size < 2)
-    return 0;
-  return static_cast<size_t>((data[0] << 8) + data[1]);
+  return size < 2 ? 0 : static_cast<size_t>(
+                            ByteReader<uint64_t, 2>::ReadBigEndian(data));
+}
+
+template <typename T>
+T ReadIntCheckedAndIncrement(const uint8_t** data, size_t* size) {

[pbos-webrtc, 2016/01/25 13:53:07]

bool ParseInt(T* int, size_t size, const uint8_t** data, size_t* remaining_size)

[hlundin-webrtc, 2016/01/25 15:47:09]

Done, except that I omitted your second argument (size), and changed the order
of the remaining ones.

[hlundin-webrtc, 2016/01/26 13:01:55]

And when I say "omitted" I mean "moved it to be a template parameter".

+  static_assert(std::numeric_limits<T>::is_integer, "Type must be an integer.");
+  static_assert(sizeof(T) <= sizeof(uint64_t),
+                "Cannot read wider than uint64_t.");
+  const size_t N = sizeof(T);
+  RTC_DCHECK_LE(N, *size);
+  uint64_t val = ByteReader<uint64_t, sizeof(T)>::ReadBigEndian(*data);
+  *data += N;
+  RTC_DCHECK_GE(*size, N);  // Make extra sure we don't wrap *size.
+  *size -= N;
+  return static_cast<T>(val);
 }
 }  // namespace
 
@@ -35,7 +52,7 @@ void FuzzAudioDecoder(const uint8_t* data,
   const uint8_t* data_ptr = data;
   size_t remaining_size = size;
   size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
-  while (packet_len != 0 && packet_len <= remaining_size - 2) {
+  while (packet_len != 0 && packet_len + 2 <= remaining_size) {

[pbos-webrtc, 2016/01/25 13:53:07]

while (ParseInt(&packet_len, 2, data_ptr, &remaining_size) && packet_len <=
remaining_size)

here and below

[hlundin-webrtc, 2016/01/25 15:47:09]

Done.

     data_ptr += 2;
     remaining_size -= 2;
     AudioDecoder::SpeechType speech_type;
@@ -46,4 +63,55 @@ void FuzzAudioDecoder(const uint8_t* data,
     packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
   }
 }
+
+// This function is identical to FuzzAudioDecoder above, with the distinction
+// that it call DecodeRedundant instead of Decode.
+void FuzzAudioDecoderRedundant(const uint8_t* data,
+                               size_t size,
+                               AudioDecoder* decoder,
+                               int sample_rate_hz,
+                               size_t max_decoded_bytes,
+                               int16_t* decoded) {
+  const uint8_t* data_ptr = data;
+  size_t remaining_size = size;
+  size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  while (packet_len != 0 && packet_len + 2 <= remaining_size) {
+    data_ptr += 2;
+    remaining_size -= 2;
+    AudioDecoder::SpeechType speech_type;
+    decoder->DecodeRedundant(data_ptr, packet_len, sample_rate_hz,
+                             max_decoded_bytes, decoded, &speech_type);
+    data_ptr += packet_len;
+    remaining_size -= packet_len;
+    packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  }
+}
+
+// This function is similar to FuzzAudioDecoder, but also reads fuzzed data into
+// RTP header values. The fuzzed data and values are sent to the decoder's
+// IncomingPacket method.
+void FuzzAudioDecoderIncomingPacket(const uint8_t* data,
+                                    size_t size,
+                                    AudioDecoder* decoder) {
+  const uint8_t* data_ptr = data;
+  size_t remaining_size = size;
+  size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  // Sum length of rtp_sequence_number, rtp_timestamp, and arrival_timestamp.
+  const size_t header_len = sizeof(uint16_t) + 2 * sizeof(uint32_t);

[pbos-webrtc, 2016/01/25 13:53:07]

kHeaderLength

[hlundin-webrtc, 2016/01/25 15:47:09]

Done.

+  while (packet_len != 0 && packet_len + 2 + header_len <= remaining_size) {
+    data_ptr += 2;
+    remaining_size -= 2;
+    const uint16_t rtp_sequence_number =
+        ReadIntCheckedAndIncrement<uint16_t>(&data_ptr, &remaining_size);

[pbos-webrtc, 2016/01/25 13:53:07]

if (!ParseInt).. (break; or rtp_sequence_number = 0)

[hlundin-webrtc, 2016/01/25 15:47:09]

Done.

+    const uint32_t rtp_timestamp =
+        ReadIntCheckedAndIncrement<uint32_t>(&data_ptr, &remaining_size);
+    const uint32_t arrival_timestamp =
+        ReadIntCheckedAndIncrement<uint32_t>(&data_ptr, &remaining_size);
+    decoder->IncomingPacket(data_ptr, packet_len, rtp_sequence_number,
+                            rtp_timestamp, arrival_timestamp);
+    data_ptr += packet_len;
+    remaining_size -= packet_len;
+    packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  }
+}
 }  // namespace webrtc